By Andrew Brandt
A Trojan that pulls a sly performance of now-you-see-me-now-you-don’t disguises itself on an infected system as the Adobe Updater, a real program that’s installed alongside such mainstay applications as the Adobe Reader. This method of hiding in plain sight means the downloader, Trojan-Downloader-Karagany, may remain active on an infected system for an extended period of time, reinfecting PCs even after the more obvious payloads have been cleared up.
During the initial infection, subtlety is this Karagany’s strong suit. When executed, it pulls an act I find slightly more interesting than the conventional file copies itself from one place to another, then deletes the original behavior that is so common among contemporary malware.
In this case, the malware app (which uses an Adobe icon) does copy itself to another location — the \Application Data\Adobe folder under the currently logged-in user’s account, using the filename AdobeUpdater.exe — but leaves behind a benign program afterward, in exactly the same place as the original, and with the same filename as the original. Watch this video to see just how slick this shell game can be.
The Trojan makes a duplicate of a legitimate Windows app (the Microsoft HTML Application Host, or MSHTA.exe), naming the copy with the same filename the Trojan used at the time it was executed, and replaces itself with the renamed MSHTA.exe in precisely the same location. The effect is low-key — the program simply seems to lose its icon.
You’ll also note that, when the Trojan pulls the big switcheroo, another file appears in the upper-right corner of the screen, named err.log4568468 (it’s actually just err.log and seven random numbers). That’s a backup copy the Trojan makes of itself. The extra file the Trojan throws into the \Application Data\Adobe folder (AdobeUpdate .exe – with an extra space just before the period) is another copy of the benign MSHTA.exe file.
The Downloader shows signs of being run more like a botnet. During a series of tests last week, it received the command loadplugin:localftp2 followed by a URL, after which it created a subfolder, named \plugs, where it stored a file named localftp2.dll.
In later tests, the file received the command to download and execute a program called InstallAntivirus2010.exe. Gee, I wonder what that does. The Trojan forges the User-Agent string in the HTTP GET command so it appears in the Web server logs that the file is being downloaded by users of (one version or another of) the Opera browser.
Back to the real Adobe Updater for a moment. It resides along a different folder path than the one the malware chooses to install itself. The real updater is also digitally signed by Adobe Systems, something that’s clearly visible in the file properties sheet of the application.
Of course, once the downloader’s rogue antivirus payload comes down the wire, all pretense of subtlety is thrown out the window. But by then, it’s too late to do anything about it.
In this case, the domain where the download receives its instructions as well as its payloads is myusermanager.in — a site hosted in Latvia, despite the fact it uses India’s .in top-level domain in its name. The domain was idle all last week when I began testing the Trojan, but someone flipped the switch over the weekend, and it started pushing payloads to infected systems early Saturday morning.
On one machine, we retrieved the fairly common Security Tool rogue. On another, we got a different but also common rogue, named Antivirus 2010. Either way, the cleanup is annoying; Both rogues disable certain key Windows features, like the ability to edit the Registry or launch the Task Manager, or change the background image. And, of course, both rogues are complete frauds.
What I like the most about either rogue is that they have nicely appointed “payment” Web sites (such as 2010billing.com, shown above), where the fraud is completed when money changes hands. They even have local telephone numbers in the US, Canada, UK, and Australia, where you can direct vitriol when you discover you (or someone you know) has been scammed.
But don’t expect to get anything back from the company if you complain, and don’t bother emailing that webtopantivirus.com email address, either. The domain is parked and idle. You’re better off reporting the purchase to your credit card bank as a fraudulent transaction.